topic Re: UFW Access to WinEventLogs in Deployment Architecture

UFW Access to WinEventLogs

tsocyberoperati — Mon, 21 Jul 2025 15:05:23 GMT

Hello All,

We have a Splunk Universal Forwarder 9.4.0 (then 9.4.3) installed on a Windows 2022 box to which we don't have direct access.
We have deployed some apps and the forwarder manages to send us its splunkd.log and some other monitor inputs but we are not able to get the WinEvents (Applications/System/Security) using the specific stanzas.

The host is more hardened that usual, but the Admins managed to configure what they believe are the EventLog permissions, to no avail. Something like this, never happened to us.

We tried updating the agent version and configuring the installation both with LOCAL System permissions and Virtual Account permissions, but still no success.

We don't see any relevant internal info regarding some problem with Permissions or EventLog access.

- is there any event we should look for on Windows Logs or UFW logs to undertand this problem?
- Is there anything we can activate in the UFW to get more info about this limitation?

Thank you

Re: UFW Access to WinEventLogs

kiran_panchavat — Mon, 21 Jul 2025 15:28:17 GMT

@tsocyberoperati

Has this forwarder ever successfully onboarded Windows Security events into Splunk in the past?

Re: UFW Access to WinEventLogs

tsocyberoperati — Mon, 21 Jul 2025 15:40:53 GMT

This is a new installation.
So, no, no Windows Security events onboarded in the past.
Thank you.

Re: UFW Access to WinEventLogs

SanjayReddy — Mon, 21 Jul 2025 18:37:11 GMT

Hi @tsocyberoperati

are you seeing any permission related issues on Splunkd.log

also check splunk forwarder is running as local user or nt_ user

try running splunk with local user and restart the splunk service

Re: UFW Access to WinEventLogs

tsocyberoperati — Mon, 21 Jul 2025 19:18:56 GMT

Hello

Your questions are answered in the original post.

Thank you

Re: UFW Access to WinEventLogs

PickleRick — Mon, 21 Jul 2025 19:53:28 GMT

There can be several possible issues probably but since you say that the host has been "additionally hardened" I'd hazard a guess that you have applocker policy preventing unknown/not-whitelisted apps from running. Since the eventlogs are ingested by means of spawning external .exe, if it's not whitelisted, it will fail.